完整的tls.cfg配置如下:
#
# Example Kamailio TLS Configuration File
#
# ---
# This is the default server domain profile.
# Settings in this domain will be used for all incoming
# connections that do not match any other server
# domain in this configuration file.
#
# We do not enable anything else than TLSv1.2+
# over the public internet. Clients do not have
# to present client certificates by default.
#
[server:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key
certificate = /usr/local/etc/kamailio/kamailio-selfsigned.pem
#ca_list = /usr/local/etc/kamailio/tls/cacert.pem
#crl = /usr/local/etc/kamailio/tls/crl.pem
# ---
# This is the default client domain profile.
# Settings in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
#method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
# ---
# This is an example server domain for TLS connections
# received from the loopback interface. We allow
# the use of TLSv1.2+ protocols here, we do
# not require that clients present client certificates
# but if they present it it must be valid. We also use
# a special certificate and CA list for loopback
# interface.
#
[server:5.6.7.8:5061]
method = TLSv1.2+
verify_certificate = yes
require_certificate = no
private_key = /usr/local/etc/kamailio/tls/local_key.pem
certificate = /usr/local/etc/kamailio/tls/local_cert.pem
verify_depth = 3
ca_list = /usr/local/etc/kamailio/tls/local_ca.pem
crl = /usr/local/etc/kamailio/tls/local_crl.pem
server_name = kamailio.org
server_id = kamailio.org
# ---
# Special settings for connecting to the example.sip (1.2.3.4)
# public SIP server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.
#
[client:1.2.3.4:5061]
verify_certificate = no
private_key = /usr/local/etc/kamailio/tls/example_key.pem
certificate = /usr/local/etc/kamailio/tls/example_cert.pem
ca_list = /usr/local/etc/kamailio/tls/example_ca.pem
crl = /usr/local/etc/kamailio/tls/example_crl.pem
server_name = example.sip
server_id = example.sip
# ---
# Example server profile for listening on any ip/port
# - it requires to have 'server_name' to match on SNI (domain and subdomains)
#
#[server:any]
method = TLSv1.2+
verify_certificate = yes
require_certificate = no
private_key = /usr/local/etc/kamailio/tls/mysipserver_org_key.pem
certificate = /usr/local/etc/kamailio/tls/mysipserver_org_cert.pem
verify_depth = 3
#ca_list = /usr/local/etc/kamailio/tls/mysipserver_org_ca.pem
#crl = /usr/local/etc/kamailio/tls/mysipserver_org_crl.pem
server_name = mysipserver.org
server_name_mode = 1
server_id = mysipserver.org
# ---
# Example server profile for listening on any ip/port
# - it requires to have 'server_name' to match on SNI (only subdomains)
#
[server:any]
method = TLSv1.2+
verify_certificate = yes
require_certificate = no
private_key = /usr/local/etc/kamailio/tls/mysipserver_net_key.pem
certificate = /usr/local/etc/kamailio/tls/mysipserver_net_cert.pem
verify_depth = 3
#ca_list = /usr/local/etc/kamailio/tls/mysipserver_net_ca.pem
#crl = /usr/local/etc/kamailio/tls/mysipserver_net_crl.pem
server_name = mysipserver.net
server_name_mode = 2
server_id = mysipserver.net
是不是有点复杂?
英文不好的看不懂,凑巧英文好了但是没有专业背景也得看好几遍才能明白